[681] in WWW Security List Archive
Re: Credit Card privacy
daemon@ATHENA.MIT.EDU (Alex Hopmann)
Tue May 9 02:16:03 1995
Date: Mon, 8 May 1995 20:08:50 -0700
To: tju@akira.corp.sgi.com, www-security@ns2.rutgers.edu
From: hopmann@holonet.net (Alex Hopmann)
Errors-To: owner-www-security@ns2.rutgers.edu
>I've discovered an interesting site on the web:
>
>http://www.interlog.com:80/~pjm/cdshop/ibm/bykey.html
>
>As far as I can tell, they aren't using any security whatsoever to get their
>credit card numbers. Is this common, or am I missing something here?
>
I think its common and becoming more common.
I have talked to quite a few people who don't care about security for their
credit card #'s. After all, its the credit card companies problem. Someone
steals the #, I report that the charges weren't mine & refuse to pay them.
Part of the reasoning goes: After all, any of the hundreds of people who
have access to my credit card # could be stealing them. Casheers at the
local supermarket, come telemarketing person I gave my # to over the phone, etc.
None of these other users of credit card #'s are even remotely secure. We
have gotten used to assuming some fraud, and the credit cxrd company (&
merchants) pay for it so its not my problem.
This attitude has even been expressed in an editorial by Jack Rickard in
Boardwatch magazine (March, April, or May magazine, I can't remember).
This is an important thing to remember as we design security apparatus. As
long as the problem doesnt directly impact on the consumer (and frequently
enough to be a bother), any non-transparent security measures will be
largely ignored.
Alex Hopmann
ResNova Software, Inc.
hopmann@holonet.net
